How to verify a cert chain using Openssl command line?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

As a test, I have created a rootCA, a subCA (signed by the rootCA) and
a client cert (signed by the subCA). Now I want to use verify,
s_client and s_server to test them together.

However I searched and tried a number of times but still unsure about
the correct syntax format in verify command. This is what I did:

cat rootCA.crt subCA.crt > caChain.crt

openssl -verbose -verify -CAflie caChain.crt clientCert.crt

openssl verify -CAfile caChain.crt client/clientCert.crt
client/clientCert.crt: C = US, ST = California, O = David's company,
CN = David's client cert, emailAddress = david.li at example.com
error 47 at 0 depth lookup:permitted subtree violation


However it seems my s_client and s_server test is OK:

I created a caChain by cancatenating rootCA and subCA together:

Server:
openssl s_server -cert server/serverComb.crt -www -CAfile caChain.crt -verify 3

where serverComb.crt = cat of serverCert and server key

Client:
openssl s_client -CAfile caChina.crt -cert client/clientComb.crt

where clientComb is  = cat of clientCert and clientKey


Anyone has any idea why verify command failed?

Thanks.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux